RE: What tools do you use to comply with Sarbanes-Oxley?

My company has been using Idera's SQL Compliance manager for over two years
now and my database audit takes about an hour a year.

Ultimately the auditors wanted to know that we [my DBA team] weren't making
unauthorized changes to our critical financial applications. We used Idera
in conjunction with our helpdesk system (BMC Magic) to tie everything
together. Every data change requires a helpdesk ticket and we embed the
ticket # in the query. When we run the Idera reports weekly the security
officer ties back our changes to the tickets. The auditors come in and
review the weekly reports to make sure everything ties.

One of our apps generates over a million transactions daily and Idera
handles it just fine. Our biggest database is about 100 GB in size and the
tool typically audits about 20 GB worth of information over a two week period
(at least that's the typical size of our largest Idera audit database.)
We've currently got eight servers and about a dozen databases being audited
by the Idera tool. Idera's "collection server" runs on a dual proc/dual core
machine with 2 GB of memory. The collection server runs alongside several
other applications and the server is not taxed in the slightest. I actually
have that server earmarked to consolidate yet another application (I'm trying
valiantly to fight server sprawl.)

I've never had a problem with Idera and I'm quite happy with it.

If you'd like more information about it, feel free to get in touch with me.

Regards,
Brian Smith
Enterprise Data Architect
Hanger Orthopedic Group, Inc.


"Sean McCown" wrote:

I've played with all of these tools through the magazine and most of the just
won't give you what you want. I used to see good things with Lumigent, but
lately I've been hearing more and more accounts that it's nothing special.
IPLocks and Guardium definitely aren't the way to go either. They've both
turned down reviews twice and I can only guess it's because they know they're
not ready.

Idera is the same. I've never heard one good thing about the product and
when I played with it, it couldn't keep up with my load. And that was just
in my lab, not even in prod.

GridApp's not that kind of application, so it really won't help you with
compliance at all. It's good, and I like what it does for you, but
compliance isn't one of them.

To be honest I'll have to go over my notes about Tizor and RippleTech. I
just don't remember much about them right now.

It also depends on what you need to audit for and what your environment is
like. I tend to lean away from appliances if I can, they're just more
expensive than they're worth usually.

Embarcadero also has an auditing tool. I wish I could be more actual help,
but the truth is, I'm not really happy with any of the tools out there.


--
Read my book reviews at:
www.ITBookworm.com

Blog Author of:
Database Underground -- http://weblog.infoworld.com/dbunderground/
DBA Rant – http://dbarant.blogspot.com




"Kenny" wrote:

Does anyone use tools from www.lumigent.com, www.guardium.com,
http://www.idera.com/Products/SQLcm/ for this?



Others I've looked at a little are www.tizor.com, www.rippletech.com,
www.iplocks.com, www.consul.com and www.gridapp.com.



The best one depends on if you are looking for a network appliance like
guardium or an agent approach like lumigent and idera.



Here is another post that list some solutions:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1894402&SiteID=1



Audit Tools
ApexSQL Audit http://www.apexsql.com/sql_tools_audit.asp
AuditDatabase (Free Web based trigger generation)
http://www.auditdatabase.com/
Lumigent Audit DB http://www.lumigent.com/products/auditdb.html
OmniAudit http://www.krell-software.com/omniaudit/index.asp
SQLLog
http://www.rlpsoftware.com/mainframe.asp?contents=SQLLog.asp&mainmenu=SQLLog&submenu=Info
Upscene SQL Log Manager
http://www.upscene.com/index.htm?./products/audit/mssqllm_main.htm
DB Audit Expert http://www.softtreetech.com/dbaudit/


.

Relevant Pages

  • RE: database server audit tools
    ... For ongoing audit accountability and regulatory compliance via log ... Subject: database server audit tools ... please send me also some links to harden my database server from attacks.. ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Concatenate and Null Values -- Features
    ... I hate to be a pest but I have been reading ACC: Database Normalization ... Data Table and linked to this one using the Audit Number. ... I wonder if storing 07-01 (probably without the dash, ... I think I know what you're saying about learning by teaching. ...
    (microsoft.public.access.reports)
  • Re: Concatenate and Null Values -- Features
    ... tstTstID autonumber primary key ... I hate to be a pest but I have been reading ACC: Database Normalization ... Data Table and linked to this one using the Audit Number. ...
    (microsoft.public.access.reports)
  • Re: Concatenate and Null Values -- Features
    ... tstTstID autonumber primary key ... I hate to be a pest but I have been reading ACC: Database Normalization ... Data Table and linked to this one using the Audit Number. ... I think I know what you're saying about learning by teaching. ...
    (microsoft.public.access.reports)
  • Re: Basic question | run multiple queries without reconnecting
    ... How can you run multiple queries w/o reconnecting to the database? ... audit alter sequence by <indiv acct> by access; ... We do have a centralised app written in Java which connects ...
    (comp.databases.oracle.server)